Hive Ransomware – Vulnerbility Alert

Ransomware has continued to be a significant threat not just to the education and research sectors but to all industries this year. A new ransomware group, known as Hive, is rising in prominence due to their sophisticated tool set and targeting of hospitals and critical infrastructure. 

As this group poses a relevant threat to our sector, this is an informational alert and contains guidance to mitigate against the reported techniques this group utilises to attack victims.  

Most commonly the attacks will start with a phishing attack with malicious attachments to gain access and download an initial payload. They often utilise RDP for lateral movement to spread across the network but have also been seen to use vulnerabilities in software products.  

Like many ransomware groups now, Hive use a double extortion technique, they will exfiltrate interesting data before encryption, this allows the threat of publication to their leak site if the victim does not pay.  

Recommended actions: 

  • Backup critical data securely– Multiple copies including offline 
  • Use multi-factor authentication for all users especially remote access services 
  • Ensure all devices and applications are patched and up-to-date 
  • Install and keep up-to-date anti-virus on all hosts 
  • Search infrastructure for below IOCs and block where possible 
  • Monitor services for abnormalities 
  • Educate/remind users about phishing/phishing techniques 

Key IOCs: 

  • 46.166.161[.]93 
  • 176.123.8[.]228 – Cobalt Strike Beacon  

Files Created: 

  • Hive.bat 
  • Shadow.bat 

File Extensions Added: 

  • .key.* 
  • .key.hive 


If you have any questions or concerns about this advisory, please contact us via our support desk – support@empsn.org.uk

Keeping Up To Date With Us Is Easy, Sign Up To Our Newsletter Today!

Stay in touch with emPSN, so that you get the latest e-safety advice and invites to our community events.

Our partners